CVE-2021-47544

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47544
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47544.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47544
Related
Published
2024-05-24T15:15:18Z
Modified
2024-09-11T04:41:13.864180Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

tcp: fix page frag corruption on page fault

Steffen reported a TCP stream corruption for HTTP requests served by the apache web-server using a cifs mount-point and memory mapping the relevant file.

The root cause is quite similar to the one addressed by commit 20eb4f29b602 ("net: fix skpagefrag() recursion from memory reclaim"). Here the nested access to the task page frag is caused by a page fault on the (mmapped) user-space memory buffer coming from the cifs file.

The page fault handler performs an smb transaction on a different socket, inside the same process context. Since sk->skallaction for such socket does not prevent the usage for the taskfrag, the nested allocation modify "under the hood" the page frag in use by the outer sendmsg call, corrupting the stream.

The overall relevant stack trace looks like the following:

httpd 78268 [001] 3461630.850950: probe:tcpsendmsglocked: ffffffff91461d91 tcpsendmsglocked+0x1 ffffffff91462b57 tcpsendmsg+0x27 ffffffff9139814e socksendmsg+0x3e ffffffffc06dfe1d smbsendkvec+0x28 [...] ffffffffc06cfaf8 cifsreadpages+0x213 ffffffff90e83c4b readpages+0x6b ffffffff90e83f31 _dopagecachereadahead+0x1c1 ffffffff90e79e98 filemapfault+0x788 ffffffff90eb0458 _dofault+0x38 ffffffff90eb5280 dofault+0x1a0 ffffffff90eb7c84 _handlemmfault+0x4d4 ffffffff90eb8093 handlemmfault+0xc3 ffffffff90c74f6d _dopagefault+0x1ed ffffffff90c75277 dopagefault+0x37 ffffffff9160111e pagefault+0x1e ffffffff9109e7b5 copyin+0x25 ffffffff9109eb40 _copyfromiterfull+0xe0 ffffffff91462370 tcpsendmsglocked+0x5e0 ffffffff91462370 tcpsendmsglocked+0x5e0 ffffffff91462b57 tcpsendmsg+0x27 ffffffff9139815c socksendmsg+0x4c ffffffff913981f7 sockwriteiter+0x97 ffffffff90f2cc56 doiterreadvwritev+0x156 ffffffff90f2dff0 doiterwrite+0x80 ffffffff90f2e1c3 vfswritev+0xa3 ffffffff90f2e27c dowritev+0x5c ffffffff90c042bb dosyscall64+0x5b ffffffff916000ad entrySYSCALL64after_hwframe+0x65

The cifs filesystem rightfully sets skallocations to GFPNOFS, we can avoid the nesting using the sk page frag for allocation lacking the _GFPFS flag. Do not define an additional mm-helper for that, as this is strictly tied to the sk page frag usage.

v1 -> v2: - use a stricted skpagefrag() check instead of reordering the code (Eric)

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.84-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.15-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}